[RFC] WYSIWYG editor

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

[RFC] WYSIWYG editor

Post by bobtheman »

This thread will be for the collaboration and creation of the wysiwyg RFC. After its completed we will copy it over to the wiki. All constructive criticism is welcome especially when its working towards a finished product.

Objectives
1. Usability. More friendly, appealing, ease of use, ability to extend
2. Performance. Comparable page loads than older bb editors
3, Security. Ability to pass security audit, no sacrifice of security

Purposed WYSIWYG editors for inclusion
The editor must be in compliance with phpbb license requirements
1. TinyMCE http://tinymce.moxiecode.com
2. New WYSIWYG editor created by phpbb team

Default Included functions

Bold, Italics, url, Save, Text Color, Remove Formating, Spell Checker, Preview, align, anchor, font size, font family, insert image, quote,

Emotions - This could replace the current smilie insert system.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: [RFC] WYSIWYG editor

Post by naderman »

bobtheman wrote:This thread will be for the collaboration and creation of the wysiwyg RFC. After its completed we will copy it over to the wiki.
Would you mind creating the rfc page on the wiki already and putting a link to this topic in it. You can list it under "draft".

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: [RFC] WYSIWYG editor

Post by bobtheman »

I would love to, but i have never been successful with logging into the wiki. I have created accounts on the area51, support forums, and created a new account from the wiki itself and still no luck. It wont let me log in.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: [RFC] WYSIWYG editor

Post by Kellanved »

I would push this very far back. The inclusion of an actual editor is javascript development not inherently linked to the core.
There is one aspect that needs attention:
How can custom bbcodes be designed so that an eventual editor can support them.

All other questions, especially which editor to use, can be postponed until the core features are done. Surveying the current situation, it seems to me that tinyMCE is too hardwired for HTML, any bbcode support takes the shape of a hack. CKeditor looks more promising, but implementing an extensible bbcode parser and writer would take serious effort.
No support via PM.
Trust me, I'm a doctor.

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: [RFC] WYSIWYG editor

Post by bobtheman »

Kellanved wrote:I would push this very far back. The inclusion of an actual editor is javascript development not inherently linked to the core.
There is one aspect that needs attention:
How can custom bbcodes be designed so that an eventual editor can support them.

All other questions, especially which editor to use, can be postponed until the core features are done. Surveying the current situation, it seems to me that tinyMCE is too hardwired for HTML, any bbcode support takes the shape of a hack. CKeditor looks more promising, but implementing an extensible bbcode parser and writer would take serious effort.
Can we discuss the necessity of a bbcode parser, the possibility of moving away from the bbcode parser and using an alternative like a properly written html filtering system which is just as safe as the bbcode parser and could be safer security wise.

User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: [RFC] WYSIWYG editor

Post by Kellanved »

Frankly, I have yet to see such a thing as a "secure HTML parser". It simply doesn't exist, which is the very nature of HTML. Even worse, it would still be bbcode, but masquerading as HTML. Consider that style classes etc have to be added to the entered HTML, url re-writing has to be done, permissions have to be checked. BBcode can use '<' instead of '[', but that doesn't change the nature of the beast. Moreover, remember that people have to be able to post without the editor, using plain text.

Nonetheless, supporting bbcode does not mean that bbcode has to be the only means of entering formatting.
No support via PM.
Trust me, I'm a doctor.

bobtheman
Registered User
Posts: 63
Joined: Sat Dec 19, 2009 4:00 pm

Re: [RFC] WYSIWYG editor

Post by bobtheman »

Kellanved wrote:Frankly, I have yet to see such a thing as a "secure HTML parser". It simply doesn't exist, which is the very nature of HTML. Even worse, it would still be bbcode, but masquerading as HTML. Consider that style classes etc have to be added to the entered HTML, url re-writing has to be done, permissions have to be checked. BBcode can use '<' instead of '[', but that doesn't change the nature of the beast. Moreover, remember that people have to be able to post without the editor, using plain text.

Nonetheless, supporting bbcode does not mean that bbcode has to be the only means of entering formatting.
thanks for clearing that up.

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: [RFC] WYSIWYG editor

Post by Highway of Life »

Kellanved wrote:Frankly, I have yet to see such a thing as a "secure HTML parser". It simply doesn't exist, which is the very nature of HTML.
This piqued my curiosity. :)

If you had an HTML parser that:
  1. Doesn’t allow the no-no HTML tags such as: script and style. (iframe isn't usable under rule #2)
  2. Doesn’t allow any attributes.
What would be an example following those rules where you could exploit that HTML parser?
Image

Rotsblok
Registered User
Posts: 325
Joined: Mon Nov 14, 2005 12:21 pm
Location: x= y+1

Re: [RFC] WYSIWYG editor

Post by Rotsblok »

Highway of Life wrote:
Kellanved wrote:Frankly, I have yet to see such a thing as a "secure HTML parser". It simply doesn't exist, which is the very nature of HTML.
This piqued my curiosity. :)

If you had an HTML parser that:
  1. Doesn’t allow the no-no HTML tags such as: script and style. (iframe isn't usable under rule #2)
  2. Doesn’t allow any attributes.
What would be an example following those rules where you could exploit that HTML parser?
Hummm I guess you don't mean these things http://www.w3schools.com/HTML/html_attributes.asp otherwise it may be a bit hard to do stuff.. Or do you only want to allow tags like: b, i, ul, ol, li, strong, span (but i think that will be of little use), code, sub, sup. In essence ony these tags http://www.w3schools.com/HTML/html_formatting.asp ? I think you will have some hard times then to have a bit more format in your text.. For example alignment, text colouring, would be a bit difficult since most ppl want have valid html code..

I think parsing for things on a black list (hardcoded) to remove tags like <script><style><iframe> and attributes like onclick, onmouseover, onmouseout, etc would be better if you go to allow html tags.. Although I do not know what that takes...
ø = 1.618033988749895...
Everything has ø in it

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: [RFC] WYSIWYG editor

Post by Highway of Life »

No, I’m not trying to make an HTML parser or discussing the usefulness of such a parser with those rules, I’m specifically addressing the question of if a “Secure” HTML parser - Kellanved said that such a parser doesn’t exist, so I’m curious based on the rules I stated above how you would exploit such an HTML parser.
Image

Post Reply